Educause Security Discussion mailing list archives

Re: Trying to manage the move to the cloud

From: "Shamblin, Quinn" <qrs () BU EDU>
Date: Fri, 11 Mar 2011 08:06:12 -0500

We are taking a classification-centric approach to information protection and management.  If the information is 
classified as public, do with it as you will.  If the information is Confidential or Restricted (our highest 
classification), then strict protection requirements apply.  We do not explicitly state that university-provided 
services *must* be used, but the protection requirements are detailed enough that meeting them in another way would be 
prohibitive.  Part of the policy governing Restricted information requires a review and physical signoff by information 
security for any system/solution that is not part of central services and is intended to carry restricted data.

Warm Regards,

Quinn R Shamblin
-----------------------------------------------------------------------------
Executive Director of Information Security, Boston University
GCFA, CISSP, PMP  -  O 617-358-6310  M 617-999-7523


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Chancellor, Beth C.
Sent: Thursday, March 10, 2011 9:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Trying to manage the move to the cloud

All,

It is clear that many of us are dealing with the challenges of when, if and how to adopt public cloud computing models. 
 In the mean time, it's concerning that at least some of our users are using free cloud services on their own.   Like 
many of you, my institution has policies about appropriate use (AUP), privacy policies, perquisite use policies, etc.  
What we don't have is a policy that say "you must use the IT resources provided by your institution" even if other 
resources are available at no cost.

I am concerned about the onsie-twosie uses of Mozy, yahoo, hotmail, gmail, wikispaces, skydrives, and other free 
services  (and sometimes not free) that have not been reviewed or endorsed by central IT.

Have any of you written or adopted policies that require the use of University provided or endorsed IT resources and 
that prohibit the use of non-endorsed resources when conducting university business?

Beth



Beth Chancellor, MEd, CISSP
Associate CIO and Chief Information Security Officer
University of Missouri
(573) 882-2434

Current thread:

Trying to manage the move to the cloud Chancellor, Beth C. (Mar 10)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
  - Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
    - Re: Trying to manage the move to the cloud Lorenz, Eva (Mar 11)
    - Re: Trying to manage the move to the cloud Neil Sindicich (Mar 29)
- Re: Trying to manage the move to the cloud Shamblin, Quinn (Mar 11)
- Re: Trying to manage the move to the cloud Bob Bayn (Mar 11)
  - Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)
    - Re: Trying to manage the move to the cloud Nathan Zierfuss (Mar 11)
    - Re: Trying to manage the move to the cloud Leon DuPree (Mar 29)